CVE-2026-45178 - Vulnerability Details

- Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints

Description

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20

Published: 2026-06-11

Score: 8.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper access control flaw in internal cluster endpoints of Idira Secrets Manager Self‑Hosted. A remote attacker who is already authenticated with standard node‑level credentials could exploit these endpoints to read secrets that were not meant to be accessible or to trigger a denial‑of‑service condition. The flaw aligns with CWE‑284, Unauthorized Access.

Affected Systems

Affected vendors and products are CyberArk Software, a Palo Alto Networks Company. Conjur Enterprise deployments on Idira Secrets Manager versions 13.0 through 13.8.0, on Central Credential Provider (CCP) 14.0 through 14.2.5, on z/OS Credential Provider 14.0 through 14.2.5, and on Credential Provider (CP) 14.0 through 14.2.5 are impacted.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, so actual exploitation probability is unknown, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need valid node‑level authentication, but internal cluster endpoints are usually available when the system is online, making the attack vector plausible for a motivated actor. No public exploit has been reported, but the high rating warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CyberArk Software, a Palo Alto Networks Company

Conjur Enterprise

unaffected

Version	Status	Constraints
`13.0`	affected	< 13.8.1

CyberArk Software, a Palo Alto Networks Company

Conjur Enterprise

unaffected

Version	Status	Constraints
`14.0`	affected	< 14.2.6

CyberArk Software, a Palo Alto Networks Company

Conjur Enterprise

unaffected

Version	Status	Constraints
`14.0`	affected	< 14.2.6

CyberArk Software, a Palo Alto Networks Company

Conjur Enterprise

unaffected

Version	Status	Constraints
`14.0`	affected	< 14.2.6

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Conjur Enterprise on Idira Secrets Manager to version 13.8.1 or later.
Upgrade Conjur Enterprise on Central Credential Provider, z/OS Credential Provider, and Credential Provider to version 14.2.6 or later.
Restrict access to internal cluster endpoints through network segmentation or firewall rules to limit exposure only to trusted management hosts.
Review and tighten node‑level permissions to ensure only operators with appropriate authorization can access cluster services.

Generated by OpenCVE AI on June 11, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.cyberark.com/credential-providers/latest/en/content/landingpages/cp-wn-rn-14.2.6.htm?tocpath=Get%20Started%7CRelease%20notes%7C_____1
https://docs.cyberark.com/secrets-manager-sh/13.9/en/content/enterprise/releasenotes/release-notes-13.8.1.htm?tocpath=Get%20started%7CRelease%20Notes%7C_____3

History

Thu, 11 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20
Title		Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints
First Time appeared		Cyberark Software A Palo Alto Networks Company Cyberark Software A Palo Alto Networks Company conjur Enterprise
Weaknesses		CWE-284
CPEs		cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:conjur_enterprise:::central_credential_provider_ccp_:::::* cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:conjur_enterprise:::credential_provider_cp_:::::* cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:conjur_enterprise:::idira_secrets_manager:::::* cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:conjur_enterprise:::z_os_credential_provider:::::*
Vendors & Products		Cyberark Software A Palo Alto Networks Company Cyberark Software A Palo Alto Networks Company conjur Enterprise
References		https://docs.cyberark.com/credential-providers/latest/en/content/landingpages/cp-wn-rn-14.2.6.htm?tocpath=Get%20Started%7CRelease%20notes%7C_____1 https://docs.cyberark.com/secrets-manager-sh/13.9/en/content/enterprise/releasenotes/release-notes-13.8.1.htm?tocpath=Get%20started%7CRelease%20Notes%7C_____3
Metrics		cvssV4_0 `{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/U:Amber'}`

Subscriptions

Cyberark Software A Palo Alto Networks Company Conjur Enterprise

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2026-06-11T18:19:08.100Z

Updated: 2026-06-11T19:04:56.256Z

Reserved: 2026-05-08T23:01:00.502Z

Link: CVE-2026-45178

Vulnrichment

Updated: 2026-06-11T19:04:50.308Z

NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:42.040

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-45178

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object